Common Information
| Type | Value |
|---|---|
| Value |
Remote File Copy - T1105 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol. Detection: Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Platforms: Linux, macOS, Windows Data Sources: File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring Permissions Required: User Requires Network: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2022-06-28 | 144 | Raccoon Stealer v2 - Part 1: The return of the dead | ||
| Details | Website | 2022-06-07 | 5 | Behind the Creation of Detector #1236 - Red Canary | ||
| Details | Website | 2022-06-07 | 21 | Behind the Scenes of an Active Breach | Red Canary | ||
| Details | Website | 2022-06-02 | 99 | To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions | Mandiant | ||
| Details | Website | 2022-06-02 | 48 | TAU Threat Analysis: Bundlore (macOS) mm-install-macos | ||
| Details | Website | 2022-05-21 | 36 | Satan Ransomware Spawns New Methods to Spread | ||
| Details | Website | 2022-05-17 | 679 | Space Pirates: analyzing the tools and connections of a new hacker group | ||
| Details | Website | 2022-05-08 | 57 | Ursnif Malware Banks on News Events for Phishing Attacks | Qualys Security Blog | ||
| Details | Website | 2022-04-28 | 128 | Tracking APT29 Phishing Campaigns | Atlassian Trello | ||
| Details | Website | 2022-04-27 | 15 | Identifying UNC2452-Related Techniques for ATT&CK | ||
| Details | Website | 2022-03-25 | 121 | Mustang Panda’s Hodur : Vieux trucs, nouvelle variante de Korplug | WeLiveSecurity | ||
| Details | Website | 2022-03-18 | 30 | Ransomware Spotlight: Hive - Security News | ||
| Details | Website | 2022-03-16 | 53 | Have Your Cake and Eat it Too? An Overview of UNC2891 | Mandiant | ||
| Details | Website | 2022-03-15 | 28 | Decoding a DanaBot Downloader | ||
| Details | Website | 2022-03-07 | 25 | PROPHET SPIDER Exploits Citrix ShareFile | CrowdStrike | ||
| Details | Website | 2022-02-24 | 123 | Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA | ||
| Details | Website | 2022-02-23 | 314 | (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware | Mandiant | ||
| Details | Website | 2022-01-26 | 54 | ALPHV ransomware gang analysis | ||
| Details | Website | 2022-01-19 | 85 | One Source to Rule Them All: Chasing AVADDON Ransomware | Mandiant | ||
| Details | Website | 2022-01-01 | 288 | Shadowpad/technical-indicators at main · SentineLabs/Shadowpad | ||
| Details | Website | 2021-12-15 | 54 | No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packages | Mandiant | ||
| Details | Website | 2021-12-01 | 47 | Virus Bulletin :: Collector-stealer: a Russian origin credential and information extractor | ||
| Details | Website | 2021-11-29 | 160 | CONTInuing the Bazar Ransomware Story | ||
| Details | Website | 2021-11-18 | 50 | Conti Ransomware | Qualys Security Blog | ||
| Details | Website | 2021-11-16 | 12 | Attackers use domain fronting technique to target Myanmar with Cobalt Strike |